This is a
presentation I was working on for the malware class I"m enrolled in. For
some reason my voice was cracking while recording it, but I guess it was good
practice for the live version I"ll do tomorrow. Besides just an introduction to Steganography, I"ll also talk a little about my SnarlBot project that will
attempt to use stego in a command and control channel.

Definition
* Steganography is the practice of hiding data in other data in an effort to
keep 3rd parties from knowing that the intended message is even there
* Encryption's ugly step brother
* It has art aspects since human judgment is involved
Isn"t this security though obscurity?
* Sort of
* With Encryption alone, 3rd parties may not be able to read the message, but
they know one was sent
* In some cases, just being caught sending a message can bring suspicion, or
give information to the 3rd party
- Why is this person hiding something?
- Crypto laws http://rechten.uvt.nl/koops/cryptolaw/
- Why all the communication right now?
* Resistant to "Rubber-hose Cryptanalysis"
Thanks to Marcus J. Ranum for that lovely term

About the 1st article
* "Exploring Steganography: Seeing the Unseen" was published in 1998
* Over the last 12 years, bandwidth and storage have skyrocketed
* 24bit images are common now, as are PNGs that use lossless compression
* Still, the article gives a good intro to the subject which is why I chose it
over some newer articles
* The article mostly talks about images, but Steganography can be used in many
other places

Text Based Stego
Pros:
* Most "Web 2.0" apps accept text, not necessarily images
* Text takes up little space
Cons:
* Harder to encode and be stealthy
* Less bits to hide in
* In some ways harder to code from a logic standpoint

I can has cheese burger? How are you?
i can haz chee$e burg3r? How are you? = 01000001 = A
i can has ch3ese burger? H0w r you? = 01011010 = Z
Red are encoded
Blue characters are ones that could have been encoded, but were not needed
Issues:
* Encoder and decoder will be tougher program, but I could do it all in low
ASCII.
* I would likely have less room to add data.
More ideas/concepts I"ve been playing with
* Simplify the language to conserve space

* Give the user a set of control characters they have to integrate into their
writing (Punctuation)
- "test" becomes ",&:!,",&"
- User adds word to the Punctuation to make it make sense:

Hi, Robin & I have been working on botnets:stegofun! Progress is slow, it's
taking a long time, it is time consuming & frustrating

- Could encode most common letters as one symbol, but that would break if crypto
were used

* Trade off between frequency of character (more data can be hidden) and ease of
writing cover text (Vanna White Problem)

Send a Zip file as an Office doc?
* Upload to Google Docs
* Email to an account that the other end checks

SnarlBot Project

SnarlBot
* A simple botnet that uses Social Media/Web 2.0 web apps for "blind drops" as
part of the command and control channel
* Content at the blind drops use Steganography so it"s not obviously a botnet
doing the communicating

Topology

This schemes advantages
* The blind drop obfuscates who is controlling the botnet
* Proxies can be used for web traffic to further obfuscate the identity of the
bot herder
* Steganography plus encryption makes the channel hard to detect
* Social web sites like Twitter or Facebook are not as likely to be blocked as
IRC or P2P
* SSL support for the C&C provided by the web host of the blind drop
Disadvantages
* More data has to be sent to get a message though
* The more complicated something becomes, the more bugs it will have
* May have to simplify the C&C commands
- Use single byte command: "a" for attack
- IPv4 addresses can be expressed in 4 bytes
- This make the Steganography less adaptable, but more meaning can be encoded in
less bytes